Social Engineering: how not to fall for the scam?
By Prempal Singh
In nature, there are two of the most powerful motivators for all human actions – this is fear and curiosity. Each of them can lead to illogical and stupid acts that do not always turn out to be something good.
Ekaterina Rudaya, an expert at the Jet Infosystems security analysis lab , tells how human emotions play on the hacker side and become the key to successful attacks.
For the past few years, I have been conducting experiments on the “hacking” of people — exposing them with social engineering methods and checking how resistant they are to the manipulations of real intruders.
These attacks are based on the characteristics of human psychology: playing on the feelings of the victim, fraudsters with various pretexts force it to act in their own interests.
There are a lot of methods of deception in the arsenal of intruders. For ordinary people, it may
Often, attackers call bank customers on behalf of a credit institution and offer to switch to new, more favorable deposit terms.
So that you do not make a mistake when choosing, Rusbase recommends to its readers reliable lawyers and attorneys.
They convince the victim that it is not at all necessary to visit the office of the credit organization – it’s enough to name the card number and CVV code. Sometimes fraudsters even insist on the operation, citing the limited duration of the offer. In our experience, everything that can be called a fraud or a scam often goes hand in hand with social engineering methods.
The threat of the company
As soon as a person becomes an employee of the company, calls with threats to block the card turn into messages from “partners”, requests to call the code are transformed into letters with phishing links, and “government services” mutate into “motivated and interested applicants”. The main goal in such cases is not a separate person, but the whole company.
There are many similar examples in our practice when employees opened letters with malicious attachments received under the guise of a cooperation offer. That is, the employees themselves opened access to their computer to the attackers, and, as a result, to all files and correspondence, the enterprise network.
According to our estimates, more and more intruders are attacking citizens, as this is faster and more efficient. At the same time, very few companies report hacking into their infrastructure through social engineering.
Such attacks are not immediately detected, long eliminated and almost never covered in the media, because information about such incidents can bring financial and reputational losses. So what about the real state of affairs can only guess.
Nevertheless, it is more interesting and more profitable for fraudsters to attack a whole company, and not an individual person.
By hacking into one employee, an attacker can access all the internal infrastructure and information of an organization: a list of partners and customers, financial statements, personal data of employees, plans for the next year, information about their own developments, and so on.
In order to hook the company’s employee with something, whole schemes and separate vectors are created:
- all available social networks are reviewed for potentially valuable information,
- profiles on professional portals are being studied.
All information obtained in the future is used to select the optimal “goal” or legend, which will fit the specific organization.
Many intruders walk the trodden path and try to intimidate their victims. Most often, there are threats of dismissal or fines, messages marked “it was necessary yesterday” or “very important”, sometimes there are requests to check some service. But generations succeed each other, and the use of fear as a motivator is less and less justified.
Quite different is the situation with curiosity. This motivator seems to me to be the most advantageous, since it gives more room for creative realization. That is what we used in the overwhelming majority of successful projects as an impetus to some kind of action. The most memorable cases are presented below.
“Freebie, come”
We were inspired by this endless desire to get everything for nothing.
In one company, besides the main activity, they were actively engaged in merchandising – they were selling those very things, which I don’t want to spend money for, but it would be nice if they just stood on the table. For 20 minutes, a colleague and I registered a domain, created a website with elements of corporate style, made a simple registration form, collected email addresses and worked on a legend.
The next day, employees of the company received the following letters:
“Colleagues, due to the imminent release of a new collection of our products, the existing balances will be distributed to the company’s employees. No more than three things in one hand.To control the distribution on the site added registration form. Hurry up, quantity is limited. ”
The attack was more than successful. Only the number of employees who wrote us a return letter stating that the site does not work can be counted in dozens, not to mention those who have entrusted their credentials to a phishing site.
“For a bouquet of roses”
For a long
We found her profile on social networks and found out the phone number.Then they called under the guise of a popular cosmetic store, which she apparently used, judging by the posts in social networks. They reported that she was waiting for a gift for frequent orders, loyalty and posts in social networks, clarified a convenient time for delivery, specifically choosing working time.
My colleague disguised as a courier delivered the girl a flash drive, flowers and candy. And after 15 minutes we got access to her work computer and the entire internal network of the company.
Needless to say that we have compromised financial documents, credentials for access to various financial portals and access to 1C.
“New Year”
On the eve of the New Year, I prepared holiday posters on which pigs (the symbol of the coming year), the inscription “2019”, the logo of the company Z and an offer to take part in the drawing were depicted.
The latter implied a link to the phishing link, where then you had to register under your account. With these A3 size posters and double-sided scotch, I went to an interview at the specified company.
The interview went very badly: I was constantly called, distracted, I had to leave the office, I accidentally confused the floor, the office, the elevator, the door to the female toilet, and after the meeting no one escorted me to the exit. All this time I had enough to hang 14 posters in the corridors, elevators and on the doors of the company.
An hour later I had access to the post office of IT specialists, accountants, and recruiters.
Mostly in the mail discussed a broken link from the New Year’s poster. For example, the message of one of the IT specialists looked like this: “I clicked on the link, entered the password – nothing happens.”
In the same place, a VPN was found in the mail to the internal network, passwords from all Wi-Fi points, plans for the company for the next year, credentials for access to the control panel of the corporate site. After another 15 minutes, on the main page of the internal corporate portal of the company Z, I showed off my poster with the pigs and the offer to participate in the raffle.
Conclusion
And finally, I would like to share a few life hacking, which will help readers to resist the manipulation of fraudsters.
Checklist: five life hacking to protect against attacks by social engineering methods
- Feel free to ask your colleagues what innovations are being introduced in your company and new contests are being held. If you see a message about a contest, draw, appearance of a new resource or service, do not be lazy to ask the person responsible for this event if this information is correct.
- If you are not sure about the authenticity of the resource that you are asked to access, enter the wrong username and password. Most often, phishing pages redirect the victim to a reliable website after entering data.
- Try to forget about flash drives in the workplace. If you had to use such a device, be sure to check it with an antivirus.
- If you receive a letter with any request from an unfamiliar colleague, look for it in the address book. Verify the email address from the address book with the address from the letter.
- Try to be skeptical of emails from IT or IB services that require urgent verification of any service. It is very unlikely that you will be notified by mail about a really urgent check.